United  States  General  Accounting  Office 


GAO 


Report  to  the  Chairman,  Committee  on 
Health,  Education,  Labor,  and  Pensions, 
U.S.  Senate 


MEDICAL  PRIVACY 
REGULATION 

Questions  Remain 
About  Implementing 
the  New  Consent 
Requirement 


GAO 

Accountability  *  Integrity  *  Reliability 


GAO-Ol-584 


Form  SF298  Citation  Data 


Report  Date  Report  Type 

<  "DD  MON  YYYY")  1 

00APR2001  N/A 

Dates  Covered  (from...  to) 

("DD  MON  YYYY") 

Title  and  Subtitle 

MEDICAL  PRIVACY  REGULATION  Questions  Remain 

About  Implementing  the  New  Consent  Requirement 

Contract  or  Grant  Number 

Program  Element  Number 

Authors 

Project  Number 

Task  Number 

Work  Unit  Number 

Performing  Organization  Name(s)  and  Address(es) 

General  Accounting  Office,  PO  Box  37050,  Washington,  DC 
20013 

Performing  Organization 

Number(s) 

GAO-0 1-5  84 

Sponsoring/Monitoring  Agency  Name(s)  and  Address(es) 

Monitoring  Agency  Acronym 

Monitoring  Agency  Report 

Number(s) 

Distribution/ Availability  Statement 

Approved  for  public  release,  distribution  unlimited 

Supplementary  Notes 

Abstract 

Although  there  is  a  strong  consensus  supporting  the  protection  of  patient  confidentiality,  views  differ  as  to 
the  best  ways  in  practice  to  achieve  that  goal.  Pressures  are  increasing  from  insurers,  providers,  and 
researchers  to  draw  on  medical  records  to  study  treatment  outcomes  and  monitor  expenditures,  activities 
that  are  becoming  increasingly  common  as  medical  records  are  computerized  and  large  databases 
compiled.  In  recognition  of  these  trends,  the  Health  Insurance  Portability  and  Accountability  Act  of  1996 
called  for  the  development  of  comprehensive  privacy  standards  that  would  establish  rights  for  patients 
with  respect  to  their  medical  records  and  define  the  conditions  for  using  and  disclosing  personally 
identifiable  health  information.  1  On  December  28,  2000,  the  Department  of  Health  and  Human  Services 
(HHS)  issued  the  final  regulation  on  privacy,  and  it  is  now  under  review  by  the  Congress  and  the  new 
Secretary  of  HHS.  2 

Subject  Terms 

Document  Classification 

unclassified 

Classification  of  SF298 

unclassified 

Contents 

Letter 

1 

Appendix  I 

Selected  State  Statutes  on  Consent 

10 

Appendix  II 

Organizations  Interviewed 

12 

Abbreviations 

AHA  American  Hospital  Association 

AMA  American  Medical  Association 

HHS  Department  of  Health  and  Human  Services 

HPP  Health  Privacy  Project 

MGMA  Medical  Group  Management  Association 


Page  i 


GAO-Ol-584  Patient  Consent 


i 

J&.  GAO 

^^^^^^^^^Accountability  *  Integrity  *  Reliability _ 

United  States  General  Accounting  Office 
Washington,  DC  20548 


April  6,  2001 

The  Honorable  James  M.  Jeffords 
Chairman,  Committee  on  Health,  Education, 

Labor,  and  Pensions 
United  States  Senate 

Dear  Mr.  Chairman: 

Although  there  is  a  strong  consensus  supporting  the  protection  of  patient 
confidentiality,  views  differ  as  to  the  best  ways  in  practice  to  achieve  that 
goal.  Pressures  are  increasing  from  insurers,  providers,  and  researchers  to 
draw  on  medical  records  to  study  treatment  outcomes  and  monitor 
expenditures,  activities  that  are  becoming  increasingly  common  as 
medical  records  are  computerized  and  large  databases  compiled.  In 
recognition  of  these  trends,  the  Health  Insurance  Portability  and 
Accountability  Act  of  1996  called  for  the  development  of  comprehensive 
privacy  standards  that  would  establish  rights  for  patients  with  respect  to 
their  medical  records  and  define  the  conditions  for  using  and  disclosing 
personally  identifiable  health  information.1  On  December  28,  2000,  the 
Department  of  Health  and  Human  Services  (HHS)  issued  the  final 
regulation  on  privacy,  and  it  is  now  under  review  by  the  Congress  and  the 
new  Secretary  of  HHS.2 

One  prominent  point  of  disagreement  is  whether  the  federal  government 
should  require  health  providers  to  obtain  patient  consent  prior  to  their  use 
or  disclosure  of  personal  medical  information  for  purposes  of  treatment, 
payment,  and  routine  health  care  management  activities.  You  asked  us  to 
examine  the  consent  requirement  in  the  federal  privacy  regulation  and 
assess  (1)  how  it  differs  from  the  types  of  consent  providers  currently 
obtain  from  patients  and  (2)  its  potential  consequences  for  patients  and 
providers.  You  also  asked  us  to  review  how  states  that  have  passed  health 
privacy  laws  addressed  the  patient  consent  issue,  and  we  have  included 


’P.L.  104-191,  sec.  264,  110  Stat.  1936,  2033. 

265  Fed.  Reg.  82,462  (2000).  The  final  regulation  was  originally  set  to  become  effective 
February  26,  2001,  with  most  entities  required  to  comply  no  later  than  February  26,  2003. 

To  comply  with  the  requirements  of  the  Congressional  Review  Act,  however,  HHS  changed 
the  effective  date  to  April  14,  2001,  with  most  entities  required  to  comply  no  later  than  April 
14,  2003.  66  Fed.  Reg.  12,434  (2001).  Subsequently,  HHS  published  notice  that  it  would 
accept  comments  on  the  regulation  through  March  30,  2001.  66  Fed.  Reg.  12,738  (2001). 


Page  1 


GAO-Ol-584  Patient  Consent 


this  information  in  appendix  I.  To  meet  your  request,  we  contacted  18 
organizations,  including  groups  representing  patients,  providers,  and 
health  plans  as  well  as  a  group  practice,  an  integrated  health  care  system, 
a  large  chain  pharmacy,  and  a  regional  health  plan.  (See  app.  II.)  In 
addition,  we  reviewed  the  regulation  and  spoke  with  HHS  representatives 
responsible  for  its  development.  We  performed  our  work  in  March  2001  in 
accordance  with  generally  accepted  government  auditing  standards. 


Results  in  Brief 


The  privacy  regulation’s  consent  requirement  will  be  more  of  a  departure 
from  current  practice  for  some  providers  than  for  others.  Most  health  care 
providers,  with  the  exception  of  pharmacists,  obtain  consent  from  patients 
to  release  information  to  insurers  for  payment  purposes.  The  new 
requirement  adds  pharmacists  to  those  providers  obligated  to  obtain 
written  consent  before  they  can  use  or  disclose  patient  information  for 
routine  health  care  purposes.  These  purposes  now  include  treatment  and  a 
range  of  health  care  management  activities  as  well  as  payment.  Supporters 
of  the  requirement  believe  that  the  process  of  signing  a  consent  form 
provides  an  opportunity  to  inform  and  focus  patients  on  their  privacy 
rights.  Others,  however,  are  skeptical  and  assert  that  most  patients  will 
simply  sign  the  form  with  little  thought.  In  addition,  provider  and  other 
organizations  interviewed  are  concerned  that  the  new  consent 
requirement  poses  implementation  difficulties.  They  contend  that  it  could 
cause  delays  in  filling  prescriptions  for  patients  who  do  not  have  written 
consents  on  file  with  their  pharmacies,  impede  the  ability  of  hospitals  to 
obtain  patient  information  prior  to  admission,  hamper  efforts  to  assess 
health  care  quality  by  precluding  the  use  of  patient  records  from  years 
past,  and  increase  administrative  burdens  on  providers. 


Background 


The  final  medical  privacy  regulation  requires  that  most  providers  obtain 
patient  consent  to  use  or  disclose  health  information  before  engaging  in 
treatment,  payment,  or  health  care  operations.3  As  defined  in  the 
regulation,  health  care  operations  include  a  variety  of  activities  such  as 
undertaking  quality  assessments  and  improvement  initiatives,  training 
future  health  care  professionals,  conducting  medical  reviews,  and  case 


3The  regulation  uses  the  term  “consent”  when  referring  to  written  permission  sought  prior 
to  use  or  disclosure  of  personal  health  information  for  these  purposes.  It  uses  the  tenn 
“authorization”  when  referring  to  written  permission  required  for  nonroutine  uses  and 
disclosures  of  information,  such  as  releases  to  a  patient’s  attorney  or  to  an  employer  for 
personnel  decisions. 


Page  2 


GAO-Ol-584  Patient  Consent 


management  and  care  coordination  programs.  The  consent  form  must 
alert  patients  to  the  provider’s  notice  of  privacy  practices  (described  in  a 
separate  document)  and  notify  them  of  their  right  to  request  restrictions 
on  the  use  and  disclosure  of  their  information  for  routine  health  care 
purposes.  Providers  are  not  required  to  treat  patients  who  refuse  to  sign  a 
consent  form,  nor  are  they  required  to  agree  to  requested  restrictions.  The 
consent  provision  applies  to  all  covered  providers  that  have  a  direct 
treatment  relationship  with  patients.4  The  regulation  also  specifies  several 
circumstances  where  such  prior  patient  consent  is  not  required.6  The 
privacy  regulation  does  not  require  health  plans  to  obtain  written  patient 
consent.6 

This  approach  to  patient  consent  for  information  disclosures  differs  from 
that  in  HHS’  proposed  privacy  regulation,  issued  for  public  comment 
November  3,  1999.  The  proposed  regulation  would  have  permitted 
providers  to  use  and  disclose  information  for  treatment,  payment,  and 
health  care  operations  without  written  consent.  At  the  time,  HHS  stated 
that  the  existing  consent  process  had  not  adequately  informed  patients  of 
how  their  medical  records  could  be  used.  Comments  HHS  received  on  this 
provision  were  mixed.  Some  groups  approved  of  this  approach,  saying  it 
would  ensure  that  covered  entities  could  share  information  to  provide 
effective  clinical  care  and  operate  efficiently,  while  not  creating 
administrative  requirements  that  would  add  little  to  individual  privacy. 
However,  others  wrote  that  individuals  should  be  able  to  control  to  whom, 
and  under  what  circumstances,  their  individually  identifiable  health 


4For  example,  primary  care  physicians  and  surgeons  have  a  direct  treatment  relationship 
with  patients.  In  addition,  outpatient  pharmacists  are  generally  considered  to  have  such  a 
relationship.  They  fill  prescriptions  written  by  other  providers,  but  they  furnish  the 
prescription  and  advice  about  the  prescription  directly  to  the  patient,  not  through  another 
treating  provider.  On  the  other  hand,  radiologists  and  pathologists  generally  have  indirect 
treatment  relationships  with  patients  because  they  deliver  diagnostic  services  based  on  the 
orders  of  other  providers  and  the  results  of  those  services  are  furnished  to  the  patient 
through  the  direct  treating  provider.  Consequently,  for  these  providers,  medical  records 
could  be  used  for  management  reviews  of  their  performance  without  patient  consent. 

6These  include  (1)  in  emergency  treatment  situations,  if  the  provider  attempts  to  obtain 
such  consent  as  soon  as  reasonably  practicable  after  the  delivery  of  treatment,  (2)  if  the 
provider  is  required  by  law  to  treat  the  individual,  and  attempts  to  obtain  consent  but  is 
unable  to  do  so,  and  (3)  if  a  provider  attempts  to  obtain  consent  from  the  individual  but  is 
unable  to  do  so  because  of  communication  barriers,  and  he  or  she  determines  that  the 
individual’s  consent  to  receive  treatment  is  clearly  implied  from  the  circumstances. 

industry  representatives  told  us  that  health  plans  often  obtain  patient  consent.  Plans  may 
ask  new  enrollees  to  sign  a  form  that  allows  access  to  their  medical  records  for  payment 
and,  sometimes,  health  care  operations. 


Page  3 


GAO-Ol-584  Patient  Consent 


information  would  be  disclosed,  even  for  routine  treatment,  payment,  or 
health  care  operations. 


The  extent  to  which  the  privacy  regulation’s  consent  requirement  will  be  a 
departure  from  business  as  usual  varies  by  type  of  provider.  Under  current 
practices,  physicians  and  hospitals  generally  obtain  consent  to  use  patient 
data  for  processing  insurance  claims,  but  they  obtain  consent  substantially 
less  often  for  treatment  or  health  care  operations.7  Pharmacists,  however, 
typically  do  not  have  consent  procedures  in  place  for  any  of  the  routine 
purposes  included  in  the  regulation.  Specifically: 

•  Most,  but  not  all,  physicians  get  signed  written  consent  to  use  patient  data 
for  health  insurance  payment.  Exceptions  to  this  practice  include 
emergency  situations  and  patients  who  choose  to  pay  for  their  treatment 
“out  of  pocket”  to  avoid  sharing  sensitive  information  with  an  insurer. 
However,  physicians  do  not  typically  seek  approval  to  use  patient  data  to 
carry  out  treatment  or  health  care  operations. 

•  Nearly  all  hospitals  routinely  obtain  written  consent  at  the  time  of 
admission,  at  least  for  release  of  information  to  insurance  companies  for 
payment  purposes.8  A  1998  study  of  large  hospitals  found  that  97  percent 
of  patient  consent  forms  sought  release  of  information  for  payment,  50 
percent  addressed  disclosure  of  records  to  other  providers,  and  45  percent 
requested  consent  for  utilization  review,  peer  review,  quality  assurance,  or 
prospective  review — the  types  of  health  care  management  activities 
considered  health  care  operations  in  the  federal  privacy  regulation.9 

•  Pharmacies  do  not  routinely  obtain  patient  consent  related  to  treatment 
(i.e.,  before  filling  a  prescription),  payment,  or  health  care  operations. 
However,  industry  representatives  told  us  that  pharmacies  conducting 
disease  management  programs  (specialized  efforts  to  ensure  appropriate 
pharmaceutical  use  by  patients  with  certain  chronic  conditions)  typically 


Most  Providers 
Obtain  Consent  to 
Disclose  Patient  Data 
for  Insurance 
Payment 


7It  is  also  common  for  patients  to  sign  consent  forms  before  undergoing  an  invasive 
procedure.  However,  these  consents  have  to  do  with  informing  the  patient  about  possible 
risks  and  benefits  of  the  treatment,  not  disclosure  and  use  of  the  data. 

8Similar  to  physician  practices,  hospital  exceptions  include  patients  who  choose  to  “self¬ 
pay”  for  treatment,  and  emergency  situations,  such  as  when  a  patient  arrives  unconscious 
at  the  emergency  room  with  no  one  to  act  on  his  or  her  behalf. 

9J.  F.  Merz,  P.  Sankar,  S.  S.  Yoo,  “Hospital  Consent  for  Disclosure  of  Medical  Records,” 
Journal  of  Law,  Medicine  and  Ethics  (Fall  1998),  p.  241. 


Page  4 


GAO-Ol-584  Patient  Consent 


seek  consent  to  share  information  with  physicians  about  the  patients’ 
condition,  medical  regimen,  and  progress. 

The  new  consent  requirement  makes  several  important  changes  to  current 
practices  that  have  implications  for  patients  and  providers.  For  patients, 
they  will  be  made  aware  that  their  personal  health  information  may  be 
used  or  disclosed  for  a  broad  range  of  purposes  including  health  care 
operations.  Other  provisions  of  the  privacy  regulation  grant  patients 
additional  protections,  including  the  right  to  access  their  records,  to 
request  that  their  records  be  amended,  to  obtain  a  history  of  disclosures, 
and  to  request  restrictions  on  how  their  information  is  used.  For  providers 
directly  treating  patients,  they  will  have  a  legal  obligation  to  obtain  prior 
written  consent  and  to  use  a  form  that  meets  specific  content 
requirements. 


Perceived  Benefits  for 
Patients  and 
Implementation 
Concerns  Among 
Industry  Groups 


Supporters  of  the  consent  requirement  argue  that  the  provision  gives 
patients  an  opportunity  to  be  actively  involved  in  decisions  about  the  use 
of  their  data.  Yet,  many  groups  recognize  that  signing  a  provider’s  consent 
form  does  not,  per  se,  better  inform  patients  of  how  their  information  will 
be  used  or  disclosed.  In  addition,  most  provider  organizations  we 
interviewed  told  us  that  the  privacy  regulation’s  consent  requirement  will 
be  a  challenge  to  implement  and  may  impede  some  health  care  operations. 


Consent  Requirement  The  American  Medical  Association  (AMA),  the  Bazelon  Center  for  Mental 

Intended  to  Raise  Privacy  Health  Law,  and  the  Health  Privacy  Project  (HPP)  indicated  that  the 
Awareness  consent  process  offers  important  benefits  to  patients.  These  groups  view 

the  process  of  signing  a  consent  form  as  a  critical  tool  in  focusing  patient 
attention  on  how  personal  health  information  is  being  used.  They  assert 
that  only  providing  patients  with  a  notice  of  privacy  practices  is  not 
sufficient  because  most  patients  are  not  likely  to  understand  its 
importance,  much  less  read  it.  The  patient  advocacy  groups  told  us  that 
the  act  of  signing  the  consent  can  help  make  patients  aware  of  their  ability 
to  affect  how  their  information  is  used.  This  heightened  awareness,  in 
turn,  may  make  patients  more  likely  to  read  the  notice  of  privacy  practices 
or  to  discuss  privacy  issues  with  their  health  care  provider.  HPP  cited  the 
process  of  signing  consent  as  offering  an  “initial  moment”  in  which 
patients  have  an  opportunity  to  raise  questions  about  privacy  concerns 
and  learn  more  about  the  options  available  to  them.  This  opportunity  may 
be  especially  valuable  to  patients  seeking  mental  health  and  other 
sensitive  health  care  services. 


Page  5 


GAO-Ol-584  Patient  Consent 


In  contrast,  many  groups  we  interviewed  question  the  value  of  the  consent 
form  for  patients.  For  example,  the  Medical  Group  Management 
Association  (MGMA)  and  the  American  Hospital  Association  (AHA)  assert 
that  the  process  of  signing  a  consent  form  may  be  perfunctory,  at  best,  and 
confusing,  at  worst.  To  some  extent,  patient  advocacy  groups  we  spoke 
with  agree.  They  say  that  patients  will  be  under  pressure  to  sign  the  form 
without  reading  the  notice,  as  providers  can  condition  treatment  upon 
obtaining  consent.  They  contend  that  many  patients  may  not  find  the 
consent  process  meaningful.  They  maintain  that  nevertheless  it  should  be 
required  for  the  benefit  it  offers  patients  who  may  be  particularly 
interested  in  having  a  say  about  how  their  health  information  will  be  used. 


Industry  Representatives 
Anticipate  Difficulties  in 
Implementing  the  Consent 
Requirement 


Health  plan  and  provider  organizations  we  interviewed  told  us  that  the 
consent  requirement  poses  implementation  difficulties  for  patients  and 
providers  both  during  the  regulation’s  initial  implementation  and  beyond. 
The  extent  of  these  challenges  and  their  potential  implications  vary  by 
type  of  provider.  In  general,  these  organizations  do  not  favor  written 
consents  for  routine  uses  of  patient  information,  although  they  support  the 
regulation’s  requirement  to  provide  patients  with  privacy  notices. 


The  consent  requirement  would  require  pharmacists  to  change  their 
current  practices.  Under  the  regulation,  a  patient  must  sign  a  consent  form 
before  a  pharmacist  can  begin  filling  the  prescription.  According  to  the 
American  Pharmaceutical  Association  and  the  National  Association  of 
Chain  Drug  Stores,  this  requirement  would  result  in  delays  and 
inconvenience  for  patients  when  they  use  a  pharmacy  for  the  first  time.10 
Also,  pharmacies  would  not  be  able  to  use  patient  information  currently  in 
their  systems  to  refill  prescriptions  or  send  out  refill  reminders  before 
receiving  patient  consent  to  do  so.  In  addition,  patients  who  spent  time  in 
different  parts  of  the  country  and  were  accustomed  to  transferring  their 
prescriptions  to  out-of-state  pharmacies  would  have  to  provide  consent  to 
one  or  more  pharmacies  before  their  prescriptions  could  be  filled. 
Pharmacy  and  other  organizations  have  suggested  that  the  privacy 
regulation  should  recognize  a  physician-signed  prescription  as  indicative 
of  patient  consent  or  that  pharmacies  could  be  considered  indirect 
providers  and  thus  not  subject  to  the  consent  requirement. 


10These  organizations  believe  that  a  consent  form  obtained  by  one  retailer  could  serve  for 
others  in  a  chain  within  the  same  state. 


Page  6 


GAO-Ol-584  Patient  Consent 


Hospital  organizations  also  raised  concern  about  disruption  of  current 
practice  and  some  loss  of  efficiency.  AHA  and  Allina  Health  System 
representatives  stated  that  the  consent  requirement  could  impede  the 
ability  of  hospitals  to  collect  patient  information  prior  to  admission,  thus 
creating  administrative  delays  for  hospitals  and  inconvenience  for  some 
patients.  In  advance  of  nonemergency  admissions,  hospitals  often  gather 
personal  data  needed  for  scheduling  patient  time  in  operating  rooms, 
surgical  staff  assignments,  and  other  hospital  resources.  If  the  regulation  is 
interpreted  to  include  such  activities  as  part  of  treatment  or  health  care 
operations,  hospitals  would  be  required  to  get  the  patient’s  signed  consent 
before  setting  the  preadmissions  process  in  motion.  Either  a  form  would 
have  to  be  mailed  or  faxed  to  the  patient  and  sent  back,  or  the  patient 
would  have  to  travel  to  the  hospital  to  sign  it. 

Physician  and  hospital  groups  expressed  concern  that  the  requirement 
would  hinder  their  ability  to  conduct  health  care  management  reviews 
using  archived  records.  For  example,  AMA  and  AHA  told  us  that  the 
regulation  will  not  permit  them  to  use  much  of  the  patient  data  gathered 
under  previous  consent  forms.  While  the  regulation  has  a  transition 
provision  that  allows  providers  to  rely  on  consents  acquired  before  the 
regulation  takes  effect,  the  continuing  validity  of  those  preexisting 
consents  would  be  limited  to  the  purposes  specified  on  the  consent  form. 
In  most  cases,  the  purposes  specified  were  either  treatment  or  billing.  This 
means  that  providers  would  not  be  able  to  draw  on  those  data  for  other 
purposes,  including  common  health  care  management  functions,  such  as 
provider  performance  evaluations,  outcome  analyses,  and  other  types  of 
quality  assessments.11  Moreover,  they  said  that  in  many  cases  it  might  not 
be  feasible  to  retroactively  obtain  consent  from  former  patients.  Some 
have  suggested  revising  the  regulation  to  allow  providers  to  use,  without 
consent,  all  health  information  created  prior  to  the  regulation’s  effective 
date. 

All  of  the  organizations  representing  providers  and  health  plans  anticipate 
an  additional  administrative  burden  associated  with  implementing  the  new 
consent  procedures,  but  the  magnitude  of  the  potential  burden  is 
uncertain.  For  example,  if  the  use  of  new  forms  elicits  more  questions 
from  patients  about  medical  records  privacy,  as  the  provision’s  supporters 
expect  will  happen,  providers  will  have  to  devote  more  staff  time  to 


nIn  commenting  on  a  draft  of  this  report,  HHS  took  issue  with  this  interpretation  of  the 
transition  provision.  See  Agency  Comments. 


Page  7 


GAO-Ol-584  Patient  Consent 


explaining  consent  and  discussing  their  information  policies.  Similarly, 
health  plan  and  provider  advocates  contend  that  focusing  patients’ 
attention  on  their  right  to  request  restrictions  on  how  their  information  is 
used  could  result  in  many  more  patients  seeking  to  exercise  that  right. 
This,  some  believe,  would  require  increased  staff  time  for  considering, 
documenting,  and  tracking  restrictions. 


Concluding 

Observations 


The  privacy  regulation  expands  the  scope  of  the  consent  process  to 
include  the  use  and  disclosure  of  personal  health  information  for  a  wide 
range  of  purposes.  This  may  help  some  patients  become  aware  of  how 
their  medical  information  may  be  used.  However,  in  general,  provider  and 
health  plan  representatives  believe  that  the  consent  requirement’s  benefits 
are  outweighed  by  its  shortcomings,  including  delays  in  filling 
prescriptions,  impediments  to  hospital  preadmission  procedures,  and 
difficulty  in  using  archived  patient  information.  Regardless  of  the  presence 
of  the  consent  requirement,  providers  are  obligated  under  the  regulation  to 
protect  the  confidentiality  of  patient  information.  Moreover,  with  or 
without  the  consent  requirement,  patients’  rights  established  by  the 
privacy  regulation — to  see  and  amend  their  records,  to  learn  of  all 
authorized  uses  of  their  information,  and  to  request  restrictions  on 
disclosures — remain  unchanged. 


Agency  Comments 


HHS  provided  written  technical  comments  on  a  draft  of  this  report.  In 
them,  HHS  remarked  on  the  consent  requirement’s  applicability  to 
archived  patient  medical  records.  Agency  officials  explained  that  a 
consent  for  either  treatment,  payment,  or  health  care  operations  acquired 
before  the  regulation’s  compliance  date  would  be  valid  for  continued  use 
or  disclosure  of  those  data  for  all  three  of  these  purposes  after  that  date. 
Under  this  interpretation,  for  example,  prior  consents  to  disclose  patient 
information  for  insurance  claims  would  permit  uses  for  the  full  range  of 
health  care  operations  as  well,  unless  specifically  excluded  in  the  consent 
that  the  patient  signed.  In  our  view,  a  better  understanding  of  the 
implications  of  this  provision  may  emerge  from  any  revisions  to  the  final 
regulation. 

Referring  to  material  in  appendix  I,  the  agency  expressed  concern  that  we 
overgeneralized  current  state  consent  laws,  which  have  complex 
requirements  and  vary  significantly  from  one  to  another.  HHS  pointed  out 
that  some  state  laws  require  written  consent  in  some  circumstances  that 
would  be  considered  treatment,  payment,  or  health  care  operations.  We 
recognize  that  state  laws  are  complex  and  vary  widely  in  the  type  of  health 


Page  8 


GAO-Ol-584  Patient  Consent 


care  information  that  is  protected  and  the  stringency  of  those  protections. 
While  it  is  difficult  to  generalize  about  state  laws,  we  found  that  the 
statutes  in  the  10  states  we  examined  were  fairly  consistent  in  not 
requiring  written  consent  for  the  full  range  of  uses  and  disclosures  of 
patient  information  for  treatment,  payment,  and  health  care  operations. 

The  agency  provided  other  technical  comments  that  we  incorporated 
where  appropriate. 


We  are  sending  copies  of  this  report  to  the  Honorable  Tommy  G. 
Thompson,  Secretary  of  HHS,  and  others  who  are  interested.  We  will  also 
make  copies  available  to  others  on  request. 

If  your  or  your  staff  have  any  questions,  please  call  me  at  (312)  220-7600  or 
Rosamond  Katz,  Assistant  Director,  at  (202)  512-7148.  Other  key 
contributors  to  this  report  were  Jennifer  Grover,  Joel  Hamilton,  Eric 
Peterson,  and  Craig  Winslow. 

Sincerely  yours, 


Leslie  G.  Aronovitz,  Director 
Health  Care — Program  Administration 
and  Integrity  Issues 


Page  9 


GAO-Ol-584  Patient  Consent 


Appendix  I:  Selected  State  Statutes  on 
Consent 


To  examine  how  state  privacy  laws  address  the  issue  of  patient  consent  to 
use  health  information,  we  reviewed  certain  laws  in  10  states  (Hawaii, 
Maine,  Maryland,  Minnesota,  Montana,  Rhode  Island,  Texas,  Virginia, 
Washington,  and  Wyoming).1  We  found  that  none  of  these  state  privacy 
statutes  include  a  consent  requirement  as  broad  as  that  found  in  the 
privacy  regulation.2  Although  they  generally  prohibit  using  or  disclosing 
protected  health  information  without  the  patient’s  permission,  they 
include  significant  exceptions  not  present  in  the  federal  regulation. 
Essentially,  none  of  the  state  statutes  we  reviewed  requires  consent  for  the 
full  range  of  uses  and  disclosures  of  patient  information  for  treatment  and 
health  care  operations.  The  Minnesota  and  Wyoming  statutes  require 
consent  to  use  patient  health  information  for  payment  purposes.3 

Two  states  recently  attempted  to  enhance  patient  control  over  their 
personal  health  information.  In  1996,  Minnesota  enacted  a  law  that  placed 
stringent  consent  requirements  on  the  use  of  patient  data  for  research.  It 
stipulated  that  patient  records  created  since  January  1,  1997,  not  be  used 
for  research  without  the  patient’s  written  authorization.  Because  such 
authorization  was  not  obtained  at  the  start  of  treatment,  researchers  had 
to  retroactively  seek  permission.  They  soon  found  that  many  patients  did 
not  respond  to  requests  for  such  authorization,  either  to  approve  or  to 
reject  the  use  of  their  data.  The  law  was  amended  to  permit  the  use  of 
records  in  cases  where  the  patient  had  not  responded  to  two  requests  for 


'These  states  were  suggested  to  us  by  privacy  law  experts.  The  state  laws  reviewed  were: 
Haw.  Rev.  Stat.  §§  323C-1  -  323C-55  (2000);  Me.  Rev.  Stat.  Ann.  tit.  22,  §  1711-C  (West  2000); 
Md.  Code  Ann.,  Health-General  §§  4-301-4-307  (2000);  Minn.  Stat.  §  144.335  (2000);  Mont. 
Code  Ann.  §§  50-16-501  -  50-16-553  (2000);  R.  I.  Code  R.  §  5-37.3-1  -  5-37.3-11;  Tex.  Health  & 
Safety  Code  Ann.  §§  241.151  -  241-156  (West  2000);  Va.  Code  Ann.  §  32.1-127.1:03  (Michie 
2000);  Wash.  Rev.  Code  §§  70.02.005  -  70.02.904  (2000);  Wyo.  Stat.  §§  35-2-605  -  35-2-617 
(Michie  2000). 

2Some  state  laws  require  additional  safeguards  related  to  the  use  or  disclosure  of  certain 
types  of  health  care  information,  such  as  HIV  status  or  mental  health  records.  However, 
none  of  the  laws  we  examined  established  the  type  of  two-tiered  system  of  written 
permission  involving  both  consent  for  treatment,  payment,  and  health  care  operations  and 
authorization  for  most  other  uses  and  disclosures.  Two  recent  comprehensive  surveys  of 
state  laws  related  to  the  protection  of  health  care  information  are  Lisa  L.  Dahm,  50-State 
Survey  on  Patient  Health  Care  Record  Confidentiality,  Health  Lawyers:  Expert  Series 
(Washington,  D.C.:  American  Health  Lawyers  Association,  June  1999)  and  Joy  Pritts  and 
others,  The  State  of  Health  Privacy:  An  Uneven  Terrain  (Washington,  D.C.:  Health  Privacy 
Project,  Institute  for  Health  Care  Research  and  Policy,  Georgetown  University,  Aug.  1999). 

3The  relevant  language  in  the  Washington  statute  is  nearly  identical  to  that  in  the  Wyoming 
law.  According  to  an  official  in  the  Washington  attorney  general’s  office,  however,  consent 
is  not  required  to  use  or  disclose  health  information  for  payment  purposes  in  Washington. 


Page  10 


GAO-Ol-584  Patient  Consent 


Appendix  I:  Selected  State  Statutes  on 
Consent 


authorization  mailed  to  the  patient’s  last  known  address.  At  one  major 
research  institution  in  Minnesota,  the  Mayo  Clinic,  that  change  decreased 
the  percentage  of  patient  records  that  the  patient  consent  requirement 
made  unavailable  for  studies  from  20.7  percent  to  3.2  percent.4 

In  late  1998,  Maine  enacted  a  comprehensive  law  requiring  specific  patient 
authorization  for  many  types  of  disclosures  and  uses  of  health 
information.  The  law  took  effect  January  1,  1999,  but  was  soon  suspended 
by  the  state  legislature  in  response  to  numerous  complaints  from  the 
public.  Particularly  problematic  was  that  “hospital  directory”  information 
could  not  be  released  without  the  patient’s  specific  written  authorization. 
Therefore,  until  routine  paperwork  was  completed,  hospitals  could  not 
disclose  patients’  room  or  telephone  numbers  when  friends,  family,  or 
clergy  tried  to  contact  or  visit  them.  Based  on  this  experience,  the  Maine 
legislature  substantially  modified  the  law,  which  became  effective  on 
February  1,  2000.  Among  other  changes,  the  revised  law  allows  a  hospital 
to  list  current  patients  in  a  publicly  available  directory  unless  a  patient 
specifically  requests  to  be  excluded.5 


4See  S.  J.  Jacobsen  and  others,  “Potential  Effect  of  Authorization  Bias  on  Medical  Record 
Research,”  Mayo  Clinic  Proceedings,  Vol.  74,  No.  3  (April  1999),  p.  333.  Mayo  Clinic 
researchers  remain  concerned  that  variations  in  the  rate  of  refusal  among  different  patient 
groups,  for  example,  young  versus  old,  may  tend  to  skew  the  results  obtained  from  these 
data. 

5The  federal  privacy  regulation  permits  hospital  directory  information  to  be  disclosed  as 
long  as  the  patient  has  been  given  an  opportunity  to  object  to  its  disclosure  and  has  not 
done  so. 


Page  11 


GAO-Ol-584  Patient  Consent 


Appendix  I:  Selected  State  Statutes  on 
Consent 


Page  12 


GAO-Ol-584  Patient  Consent 


Appendix  II:  Organizations  Interviewed 


We  included  the  following  organizations  in  our  review: 

Allina  Health  System 

American  Association  of  Health  Plans 

American  Cancer  Society 

American  Hospital  Association 

American  Medical  Association 

American  Pharmaceutical  Association 

AvMed  Health  Plan 

Bazelon  Center  for  Mental  Health  Law 

Beaver  Medical  Group 

Blue  Cross  and  Blue  Shield  Association 

CVS  Pharmacy,  Inc. 

Health  Care  Compliance  Association 

Healthcare  Leadership  Council 

Health  Privacy  Project 

MargretVA  Consulting,  LLC 

Medical  Group  Management  Association 

National  Association  of  Chain  Drug  Stores 

National  Association  of  Public  Hospitals  and  Health  Systems 


(290022) 


Page  12 


GAO-Ol-584  Patient  Consent 


Ordering  Information 


The  first  copy  of  each  GAO  report  is  free.  Additional  copies  of  reports  are 
$2  each.  A  check  or  money  order  should  be  made  out  to  the 
Superintendent  of  Documents.  VISA  and  MasterCard  credit  cards  are  also 
accepted. 


Orders  for  100  or  more  copies  to  be  mailed  to  a  single  address  are 
discounted  25  percent. 

Orders  by  mail: 

U.S.  General  Accounting  Office 
P.O.  Box  37050 
Washington,  DC  20013 

Orders  by  visiting: 

Room  1100 

700  4th  St.,  NW  (corner  of  4th  and  G  Sts.  NW) 

Washington,  DC  20013 

Orders  by  phone: 

(202)  512-6000 
fax:  (202)  512-6061 
TDD  (202)  512-2537 

Each  day,  GAO  issues  a  list  of  newly  available  reports  and  testimony.  To 
receive  facsimile  copies  of  the  daily  list  or  any  list  from  the  past  30  days, 
please  call  (202)  512-6000  using  a  touchtone  phone.  A  recorded  menu  will 
provide  information  on  how  to  obtain  these  lists. 

Orders  by  Internet 

For  information  on  how  to  access  GAO  reports  on  the  Internet,  send  an  e- 
mail  message  with  “info”  in  the  body  to: 

Info@www.gao.gov 

or  visit  GAO’s  World  Wide  Web  home  page  at: 
http://www.gao.gov 


To  Report  Fraud, 
Waste,  and  Abuse  in 
Federal  Programs 


Contact  one: 

Web  site:  http://www.gao.gov/fraudnet/fraudnet.htm 

E-mail:  fraudnet@gao.gov 

1-800-424-5454  (automated  answering  system) 


PRINTED 


RECYCLED  PAPER 


